As cybersecurity investment priorities sharpen for 2026, the concentration around Zero Trust, Risk & Compliance, and IAM signals more than a routine budgeting cycle. In the Cyber Security Tribe Annual Report, these three areas emerged as the leading investment priorities among 455 cybersecurity practitioners surveyed between December 2025 and January 2026. Together, they point to a wider reassessment of how organizations establish trust, govern access, and prove control effectiveness across increasingly distributed environments.
This article is part of Cyber Security Tribe’s wider editorial series built from the findings of the annual report and expert discussions held at RSAC 2026 in San Francisco. Across the series, senior cybersecurity leaders and practitioners were asked to respond to questions shaped by the report’s data, including topics such as agentic AI, AI governance, quantum computing, employee concerns, and security investment priorities. For this article, the focus turns to one of the report’s clearest signals: do rising investments in Zero Trust, Risk & Compliance, and IAM reflect a lasting shift toward identity-centric security, or are they being driven primarily by regulatory pressure and board scrutiny?
The responses that follow examine why identity now sits closer to the center of enterprise security strategy. They explore how access control, authentication, governance, and continuous verification are becoming more tightly connected to resilience, operational trust, and breach prevention. They also consider whether this shift is being accelerated by external pressure, including regulation, disclosure requirements, and tougher board expectations around accountability.
This article highlights how experts are thinking about identity as both a core enforcement layer and part of a broader control model that also depends on network visibility, policy consistency, and measurable governance.
Thought leaders who contributed to this article include:
| Ashish Jain, CTO, OneSpan |
| Kevin Paige, Field CISO at ConductorOne |
| Willie Tejada, GM & SVP, Aviatrix |
| Shashi Kiran, Chief GTM Officer, Nile |
| Tony Velleca, CEO, CyberProof |
| Roy Akerman, Head of Cloud and Identity Security at Silverfort |
| Erez Tadmor, Field CTO at Tufin |
| Darren Meyer, Security Research, Checkmarx |
| Niall Browne, CEO and Co-Founder, AIBound |
| Stephanie Schneider, a Cyber Threat Intelligence Analyst, LastPass |
Ashish Jain, CTO, OneSpan
It should come as no surprise that these areas are seeing heavy investment in 2026. Advanced phishing, social engineering, and AI-driven threats like deepfakes are making identity-centric security the cornerstone of today’s security strategies. As organizations move away from traditional network and perimeter-based controls, identity is becoming the new perimeter.
Highly regulated sectors like financial services and banking will undoubtedly factor in legislative and board pressures, but effectiveness is the primary driver. Organizations are recognizing that they are not immune to cyberattacks, and that static controls can no longer keep pace with modern threats.
Attackers can steal login credentials with ease, and sophisticated methods like phishing, social engineering, and adversary-in-the-middle attacks exploit identities, sessions, and trusted channels or coerce users into misusing them. This is why static authentication must be replaced by dynamic, continuous identity validation, with safeguards embedded directly into digital interactions. This is especially critical in financial services, where trust drives customer decisions and acts as the foundation of every interaction.
Boards are asking tougher questions because breaches carry growing financial, operational, and reputational consequences. Identity is central to fraud prevention, customer experience, and enterprise resilience, and the need for success in these core competencies is driving robust security investment.
Something I’m watching very closely is the adoption of passkeys and FIDO-based authentication. As identity becomes the new perimeter, organizations need modern, phishing-resistant authentication that can protect against social engineering, credential theft, and adversary-in-the-middle attacks. That’s why we’re seeing strong momentum behind FIDO2 standards and passkeys, as organizations look to anchor security in cryptographic, device-bound identity and move beyond passwords altogether.
Kevin Paige, Field CISO at ConductorOne
It's both, but I'd argue the structural shift is the more important driver. Regulatory pressure creates urgency, but what's sustaining these investments is a fundamental recognition that identity is the control plane for modern security.
Consider what these three priorities have in common. Zero trust is built on the principle that every access request must be verified — that's an identity decision. Risk and compliance increasingly revolve around who and what has access to sensitive data — that's identity governance. And IAM is identity by definition. When you look at the top three investment priorities and all three are identity-adjacent, that's not a coincidence. It's convergence.
The board scrutiny angle is real but secondary. Boards are asking better questions about cybersecurity because breaches have material consequences — SEC disclosure rules, class action exposure, stock price impact. Those questions naturally lead to identity because that's where most breaches start. The Verizon DBIR consistently shows credential abuse and access failures as the dominant attack vectors.
What I think is genuinely new is that identity is no longer being treated as an IT productivity function. For years, IAM lived under IT operations — it was about provisioning accounts and resetting passwords. The shift we're seeing is IAM moving into the security stack as a core control. That's a permanent architectural change, not a response to a regulatory cycle. Compliance will ebb and flow. The centrality of identity to security will not.
Willie Tejada, GM & SVP, Aviatrix
Identity is necessary but not sufficient. We’ve built zero trust around who gets in but almost nobody is verifying what happens inside the cloud network once they’re there. That’s not a regulatory reaction. That’s a structural blind spot.
Boards are paying closer attention, and regulatory pressure is real. But the deeper driver is architectural. The perimeter no longer exists in any meaningful way. In multicloud environments, every workload behaves like its own mini data center, and most of them are ephemeral. When infrastructure is dynamic and distributed, identity becomes the primary control plane.
That said, identity alone is not sufficient. Breaches increasingly unfold through lateral movement between workloads and through unmonitored outbound traffic inside the cloud network itself. The long-term shift isn’t just identity-centric security, it’s securing the cloud network layer. Continuous verification at the workload level, enforced across clouds, with full visibility into lateral movement. That is where Zero Trust becomes real rather than aspirational.
Shashi Kiran, Chief GTM Officer, Nile
Zero Trust, Risk & Compliance, and IAM were cited as the top three 2026 investment priorities. Does this reflect a long-term shift toward identity-centric security? Or is it primarily driven by regulatory pressure and board scrutiny?
Yes, identity-centric security is going to be very foundational to everything. If we cannot verify the “who”, then every transaction can be compromised and the organization is at risk. Compromised identities are a big source of breaches. Zero-Trust architectures and Identity centric security are therefore going to be table stakes. AI and agentic bots have exponentially increased the attack surface, We view this as a short to medium term shift.
Tony Velleca, CEO, CyberProof
I’d say it’s a bit of both. The regulatory compliance follows the logical progression of what's happening in the security industry. If you look at the major trends, the perimeter-based model is gone. We no longer operate inside a protected network with a firewall at the edge. In today’s environment, everything is connected - your cell phone, your car, your refrigerator - essentially every device. At the same time, evolving attack techniques are being enabled, like deepfakes, for example, that are intended to fool the user. One thing that has remained constant is that humans are still the weakest link. So, it makes sense that regulatory compliance is focused on identity controls, authentication and governance to mitigate risk.
But, now you have another thing to worry about. In today’s world, AI agents are more similar to people than they are devices. They have their own "identities" and are given access to things as a human would. So, the whole concept of zero trust now applies to agents, and this will become even more important in the future, because agents themselves are being given access and privileges that used to belong to humans. They have the authority to do work, and will begin taking over administrative responsibilities for networks. Because of this, zero trust and two-factor authentication, and all the things that you need to protect the efficacy of an identity are bound to be more important as a foundation. The regulatory compliance is a response to this. Regulatory pressure and board scrutiny may accelerate spending, but the reality is that regulations are responding to identity-centric security shifts.
Roy Akerman, Head of Cloud and Identity Security at Silverfort
We are seeing this shift very clearly across customers and partners globally, and it reflects a structural change in cybersecurity rather than just regulatory pressure. The reality is that identity has become the primary control plane of modern security. Today’s attackers rarely break in; they log in, abusing credentials, tokens, and legitimate privileges to move laterally across environments. Industry research consistently shows that the vast majority of breaches involve compromised identities or misuse of access privileges. The major attack waves of 2024 to 2025 reinforced this trend, with many incidents tied to identity takeover rather than traditional vulnerabilities.
At the same time, the rise of AI agents, operating with both human and machine identities, means identity is no longer just about users but about every entity interacting with systems. The result is a long-term strategic shift: identity is becoming both the main attack surface and the most powerful enforcement layer in cybersecurity. Regulatory scrutiny and board oversight may accelerate investment, but the deeper driver is the recognition that if you don’t control identity, you don’t control your environment.
Erez Tadmor, Field CTO at Tufin
The prioritization of Zero Trust, Risk & Compliance, and IAM reflects more than a short-term response to regulation. It points to a broader shift in how organizations think about trust, access, and control in increasingly distributed environments. Identity is central to that shift, but it is only one part of the enforcement equation. If identity governs who gets access, the network determines what they can reach and how that access is actually used, while data ultimately defines what is at risk. That is why these priorities are converging.
The network remains the foundational layer every user, application, workload, and AI model depends on, but it is also one of the most abstracted and operationally complex layers in the modern enterprise. It spans hybrid infrastructure, cloud, third parties, remote users, and machine-to-machine communication. In that kind of environment, complexity without guardrails quickly becomes exposure. Zero Trust, IAM, and Risk & Compliance are rising together because organizations need consistent, policy-based control across identity, network, and data, not siloed security programs that operate independently.
Regulatory pressure and board scrutiny are clearly accelerating investment because both now demand measurable accountability and clearer proof of control effectiveness. But the deeper driver is structural. Enterprises are recognizing that resilience depends on being able to govern access, movement, and exposure in a unified way. So, this is definitely not just an identity-centric shift; it is a broader move toward enforceable, policy-driven security architecture that aligns operational reality with business trust.
Darren Meyer, Security Research, Checkmarx
It’s risky to predict long-term shifts, but it does seem like a reinvestment in strong identity as a key control that is both reflecting regulatory realities and a response to an increasingly distributed workforce. Boards are following regulatory and legislative winds, but forward-looking CISOs are anticipating the disruption to established identity systems driven by AI and looking to strengthen controls now.
Niall Browne, CEO and Co-Founder, AIBound
This is a long-term structural shift, not merely a regulatory reaction. Identity has long been the new perimeter, but AI has made this an urgent operational reality. LLMs, autonomous agents, and MCP-connected tools now access vast amounts of sensitive enterprise data, and each of the thousands of AI resources within an organization requires its own identity and credentials.
Non-human identities now far outnumber human users, and each one is an expanding attack surface. We have already seen breaches where compromised service account tokens provided attackers with lateral access across entire cloud estates -- the same risk now applies to every AI agent identity.
Security teams must discover, govern, and continuously verify every AI agent and machine identity as part of their Zero Trust initiatives -- a single compromised agent identity can move laterally across a multi-cloud environment in milliseconds. The convergence of ZTNA, Risk & Compliance, and IAM as top investment priorities reflects this maturing understanding: identity governance is now the control plane for enterprise security in an AI-driven world.
Stephanie Schneider, a Cyber Threat Intelligence Analyst, LastPass Threat Intelligence, Mitigation and Escalation (TIME) team.
It’s both a real strategic shift and a response to regulatory pressure, but identity‑centric security reduces risk in ways boards can feel. From my perspective as a cyber threat intelligence analyst, most intrusions start with compromised access. Focusing on identity shrinks the attack surface by enforcing strong authentication (ideally phishing‑resistant), permitting least privilege access, and continuously verifying identity. The net effect of all three investment priorities (Zero Trust, Risk & Compliance, and IAM) can mean fewer successful initial access events, faster containment when something does slip through, and clearer accountability that satisfies regulators and reassures the board.
